No "compromised logins" showing up after new breach alert?
Hello 1Password team!
I am using 1Password on Windows to manage my credentials, and especially for the very useful Watchtower feature. I (unfortunately) got an email from Have I been pwned warning me that one of my account had been pwned in the Collection #1 breach. But when I get a look in the Watchtower, there is no entry in "Compromised logins" and no account linked to the pwned email under the "Vulnerable passwords" category. Shouldn't be at least one entry?
Or does it means I already changed my password for the incriminated account (i.e. my email:password in the breach is from an old leak or obsolete) so I am safe ?
To be sure the account was listed in my 1Password vault (as I have no way to know from which website my account was leaked from: the email just said I was in the Collection #1 breach, not from which particular site in the breach my account was taken from), I set my verified email to the one pwned and run the "Breach report" on 1Password website.
It said :
Your data was found in 5 breaches.
We’ve searched the haveibeenpwned.com database for [my_pwned_email] and found 5 inclusions of your data. Change these passwords to keep your accounts safe.
** Add these logins to your vault & change passwords**
Passwords already changed, no action required
Dropbox
dropbox.com
This site was breached in July 2012. Here’s what was included: Email addresses, Passwords.
I don't really understand why there is only Dropbox in the list if it says "5 inclusions" ? I am right to suppose there is no new account to be added to my vault here? Should I consider that despise the HIBP alert, my account is safe, whichever it is? Also, no way to know which one it is thanks to Watchtower?
Thank you :)
1Password Version: 7.3.657
Extension Version: 1.13.2
OS Version: Windows 10
Sync Type: Not Provided
Comments
-
Hi @Ren,
Thanks for writing in.
Or does it means I already changed my password for the incriminated account (i.e. my email:password in the breach is from an old leak or obsolete) so I am safe ?
The "Collection #1" data breach itself is just a collection of various data breaches over time from various sources; there's no indication of what's new or old. What HIBP is saying is that this new database has your email address in it. The problem with this collection, it's very messy.
Note that:
In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive.
In other words, the data breach may have 5 inclusions of your email address that's in different format but with same password. So, if you changed it, 1Password won't notify you of this because there's only one account really and you already changed the password for it (HIBP won't know you changed it already). In addition, 1Password's
Compromised Passwordsis for passwords only, not email addresses. Email addresses can only be done on the 1Password.com website'sBreach Report, we do plan to add this to 1Password apps in a future update.I am right to suppose there is no new account to be added to my vault here?
Check your Dropbox Login item, make sure it has the same email address as the email address you were compromised with. Breach Report can return results that may not be in your 1Password database. In other words, if you have a Dropbox Login item with
a@b.comand you enterb@c.comor use it for your 1Password account,Breach Reportswill report that you may have other items registered withb@c.comthat's not saved in your 1Password database. That's what we meant by creating a new item because we are assuming you never added Dropbox item withb@c.comto your database.I hope this helps a bit.
0 -
Hello @MikeT !
Thank you for your answer. I understand better know the distinction between HIBP and 1Password watchtower.
So HIBP is "just" telling me that, someone publicly made available a file with my email
a@b.comin it, with or without password and/or personal data. There is at least my mail available somewhere in a data leak, that is why I got a warning email. Could or could not be harmful so I should get a look at it. No more, no less (but still is very nice to know!).On the other hand, Watchtower compares all my actual passwords with his database of compromised ones and warns me if I am using a password I should not (I'm referring to https://blog.1password.com/finding-pwned-passwords-with-1password/).
So, to be sure I fully understand how everything works (according to https://support.1password.com/watchtower/) :
The "Vulnerable passwords" category lists my accounts using passwords that have already been cracked in the past (from any source, not only my account or websites I use). Those accounts may not have been leaked yet but if they do, pirates won't have any difficulty finding the original password as it is already well-known. Like, if I'm registering to
www.amazon.comusing emaila@b.comand passwordpassword123, it would be avulnerable password. -If- a data leak from amazon.com should occurs revealing my email and password (hashed by Amazon or not), then I would be in big troubles. It is not the case, -yet-, but I should take actions to prevent the next case.And
Compromised loginsare sites I am using that have a recent breach, between the last time I updated my password and the breach time, meaning my actual password has been leaked ; either in plain-text version or encrypted one. So even if I use a very strong password, I should change it asap because I don't know how the website handles it on its side. In the best case, they encrypted it so I am "relatively safe" because hackers can't use it (but it will be listed asvulnerableas its hash is in the nature now?), worst case, they stored it plain (will be listed asvulnerablein the future too?).Right?
Looks almost clear for me anyway!
Also, thanks for developing this, it is really convenient, keep up the good job!
PS: I tried reading some articles about passwords complexity but I still did not understand why
Tr0ub4dor&3is weaker thanOh!i.loVe.eaTing.22,5%.tomatOes.juice!which is weaker thancorrect horse battery staple? If you have any article I should read, I am all ears :) New year, new resolutions, new passwords!0 -
You've got the Compromised Logins bit entirely correct from my view, @Ren, but I'd add some tidbits to your assessment of Vulnerable Passwords. Although what was breached may not have been your account specifically, Vulnerable Passwords really are a more immediate danger. One of the most common attacks we see is credential stuffing. This is where an attacker will take a list of known e-mails and known passwords and just try combinations on a different site until one works. This is automated, so it goes very quickly and doesn't require a ton of effort on an attacker's part. Of course, websites do have some defenses against this, but it's always much better to get out ahead. I'd change any vulnerable passwords right away, even if they're random, and even if the site you use them on hasn't been breached. Better safe than sorry, right? :chuffed:
As for password strength, our Chief Defender Against the Dark Arts always explains this really well, I think. The thing he's told me that helped me the most is that passwords are guessed not by trying combinations in a sequential order like if you were cracking a safe, but by trying to act like a human creating a password. Based upon what they know about this human and what they know about human behavior generally, what passwords are most likely? Try those first.
This is why random is better – humans aren't random, we use common substitutions (like 0 for O or 4 for A). Your first example is easy to guess because those substitutions are so common. Plus, the word you chose would likely have some relevance to you personally – another bad thing for passwords. Your second example loses points for being a full sentence. Sentences are easy for us and more likely to be used than random words. It gains some points for making best efforts at being random by inserting symbols or letters/digits rather than spaces, but it also has some personal meaning (someone might find on social media that you really love eating tomatoes and enjoy tomato juice) which is risky.
correct horse battery stapleis actually a pretty bad password now (thanks to xkcd drawing so much attention to it), but the formula of using random words is great. They're random (we're not) and they aren't meaningfully connected in any way to each other or to us (so, not a full sentence like what humans come up with and not guessable based upon things the attacker may know or find about you), but it's still easier to remember. Since guessing is done by assuming the password was created by a human and follows such patterns, your best defense is to be as random and inhuman as possible, but when you need to remember a password, random words are great. Still random, but something you can train yourself to remember.I know that's not an article, but it was something that helped me so I hope it helps you understand better as well. :chuffed:
0 -
Hello @bundtkate !
Thanks for your explanation, it is crystal clear and pretty interesting. Security is such a large field :)
It is true that websites are supposed to have protections against such type of attack but unfortunately, we know there is always a gap between what should be and what is really (due to budget, planning or laziness issue)! I took a look at my vulnerable passwords but unfortunately, there is nothing I can do about them as they are either PIN code or necessarily weak ones due to website's password pattern. At least, I know maybe I should change them more often.
Ok for
correct horse battery staplebeing hard for a computer to guess because they use "human thinking like" dictionaries but does it means we can avoid complicated uses of special chars, uppercase and number? Or should we still add them to our randomly created password to make it even stronger? Something liketomato! BAD 2022 iron english: lowercase, uppercase, special chars, numbers and completely random. Should be perfect? Or is it useless and makes it just more difficult for us to remember (plus making it even complicated when websites refuse specific characters or have limited length for passwords)?Also, as we should (must) use unique passwords, it gets even harder to remember which random passwords we use for this or that site. Was it
apple tom drive nutsor1password true water cycle? Of course, we could use a very convenient password manager ( :p ) but I personally like to know which password I use on each site so I can log it from anywhere quickly if I want to (and without having to install a software, a plugin or to get my phone to check the password on my password manager). Then, why use a password manager? Watchtower of course! And secondly, the interesting question is: Are random patterns a good thing or do they make all the security crumble?For exemple, if I use a semi random pattern like this :
[the website name's 3 last letters][a dot][my first car immatriculation split with space][a fruit][an underscore][the age my mom got married][a space][the first 3 letters from the website name][my favorite software' name split in half]Then for amazon.com, it would be
zon.123 AZ 45 banana_30 ama1pass word.
For google.com, it would begle.123 AZ 45 banana_30 goo1pass word.It is unique thanks to some parts being dynamic and the fixed parts are chosen so to make a random sentence from a human perspective. It is easy to remember as long as you remember the recipe. Of course, it could be improved to make it even more dynamically generated, so each password would be more different from the others. And if a hacker managed to get the amazon.com password, I'm not sure he would understand the formula and manually try other combinations on other websites.
According to you, is such a practice a good one?Thanks!
0 -
Hi @Ren,
For websites and other services where you don't need to memorize, you should use the random characters method, which includes all digits, symbols (there are hundreds), and so on, which doesn't exist in any words and there are only several thousands of English words you can use. Think
#()*$#vs.abcd, which are you likely to figure out by hand quickly,abcdor the random characters?The word-based passwords are only useful for when you do need to memorize it and/or it is awesome for the security questions and answers. Since CS reps may ask you for your security question on the phone, you want to use the random word generator so that it is clear what you're saying.
It is easy to remember as long as you remember the recipe.
Anything you need to remember, the criminal hackers can easily figure out by detecting the pattern; all they need to do is see all of the passwords leaked from your accounts and figure out the pattern. Humans are not great at randomness, they're just not; the brain is designed to detect and want patterns, not randomness.
Just by knowing you have two leaked passwords;
zon.123 AZ 45 banana_30 ama1pass wordandgle.123 AZ 45 banana_30 goo1pass word, all I have to do is tune my password crackers to[a..Z]*3[dot][0-9]*3[space][A_Z]*2[space][0-9]*2.....and it'll be faster at guessing these two passwords then trying to guess[a-Z, 0-9, all symbols]*12.0 -
You're welcome and we're always happy to answer your questions, so don't hesitate to reach out any time you want to learn.
0 -
Hi all,
Thanks for this great thread about password security!
It could definitely be a wiki page for 'how to create safe passwords' :chuffed:I have to thank you as well for the great features Watchtower brings to us!
It makes me sleep a lot better when I know that my passwords aren't leaked somewhere. :+1:0 -
Hi @lumarel,
Check this page out: https://support.1password.com/category/security/
0 -
Yep, we'll keep adding more and we also blog about security stuff as well (https://blog.1Password.com).
0
